diff --git a/configuration/default.nix b/configuration/default.nix
index f4309ea..0043336 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -53,6 +53,7 @@
   networking = {
     hostName = "tlaternet";
     usePredictableInterfaceNames = false;
+    useDHCP = false;
 
     firewall = {
       allowedTCPPorts = [
diff --git a/configuration/services/wireguard.nix b/configuration/services/wireguard.nix
index 867dcd5..f598e19 100644
--- a/configuration/services/wireguard.nix
+++ b/configuration/services/wireguard.nix
@@ -1,4 +1,9 @@
 {config, ...}: {
+  # iptables needs to permit forwarding from wg0 to wg0
+  networking.firewall.extraCommands = ''
+    iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
+  '';
+
   systemd.network = {
     netdevs = {
       "20-wg0" = {
@@ -38,9 +43,25 @@
       "20-wg0" = {
         matchConfig.Name = "wg0";
 
-        networkConfig.Address = [
-          "10.45.249.1/24"
-          # TODO(tlater): Add IPv6 whenever that becomes relevant
+        networkConfig = {
+          Address = [
+            "10.45.249.1/32"
+            # TODO(tlater): Add IPv6 whenever that becomes relevant
+          ];
+
+          IPForward = "yes";
+          IPv4ProxyARP = "yes";
+        };
+
+        routes = [
+          {
+            routeConfig = {
+              Source = "10.45.249.0/24";
+              Destination = "10.45.249.0/24";
+              Gateway = "10.45.249.1";
+              GatewayOnLink = "no";
+            };
+          }
         ];
 
         linkConfig.RequiredForOnline = "no";